Tuesday, May 28, 2013

Promiscuous mode and Avahi

This morning after updating my workstation, which is currently running openSUSE 12.3, I was unpleasantly surprised to see a continuously elevated network load of 80-100KiB/s (down) on eth0. Using wireshark, I looked at the traffic that was going over the interface. There seemed to be a lot more traffic than I should normally see here on the LAN.

At first I thought the interface might be in promiscuous mode. Googling on the net, I found several seemingly credible sources that advised me to do this:
# netstat -i
Kernel Interface table
Iface   MTU Met    RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0   1500   0   270555      0    738      0    15408      0      0      0 BMRU
lo    65536   0     1936      0      0      0     1936      0      0      0 LRU

and look at the flags (last column: Flg). According to the sources, the M flag indicates promiscuous mode. Don't believe it. That flag actually means Multicast mode. And you can get the same information that netstat -i provides, but in a more verbose format, using one (or both) of these commands:
# ip a s
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0:  mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 5c:f9:dd:6b:97:29 brd ff:ff:ff:ff:ff:ff
    inet 10.100.12.15/18 brd 10.100.63.255 scope global eth0
# ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 5C:F9:DD:6B:97:29  
          inet addr:10.100.12.15  Bcast:10.100.63.255  Mask:255.255.192.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:271495 errors:0 dropped:757 overruns:0 frame:0
          TX packets:15859 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:106828593 (101.8 Mb)  TX bytes:2158179 (2.0 Mb)
          Interrupt:20 Memory:e1500000-e1520000 

This shows what the netstat -i flags (BMRU) actually mean:
B == BROADCAST
M == MULTICAST
R == RUNNING
U == UP

None of this, of course, has any bearing whatsoever on promiscuous mode, and the elevated network load I was seeing was actually caused by Avahi.

Avahi Daemon


Avahi is one of these new-fangled services that are pooh-poohed by old geezers like myself. What it is, is an implementation of Multicast DNS (mDNS), which provides DNS-like services without any configuration. The idea being that you simply plug a bunch of computers running Avahi into a LAN segment (i.e., a switch) and they automatically learn about eachother. Avahi running on each computer finds out what services that computer is configured to provide and broadcasts that information over the network. The other Avahi instances running on the other computers do the same. The result can easily be seen by running:
# zypper in avahi-utils
# avahi-browse -a

Anyway, all of this is moot. The only reason Avahi (or avahi-daemon) was running on my computer was because openSUSE 12.3 installs it by default. I don't know, or care, why it suddenly started causing that elevated network load. The problem disappeared when I stopped the avahi-daemon process:
# rcavahi-daemon stop

For good measure, I also did:
# zypper rm avahi

And what about promiscuous mode


If you really want to turn promiscuous mode on and off, you can use, e.g., ifconfig as follows:
# ifconfig eth0 promisc    # turn promiscuous mode on
# ip a s
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0:  mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 5c:f9:dd:6b:97:29 brd ff:ff:ff:ff:ff:ff
    inet 10.100.12.15/18 brd 10.100.63.255 scope global eth0
# ifconfig eth0 -promisc   # turn promiscuous mode off

No comments:

Post a Comment